IBM PC and Compatibles Virus Alerts

Download the latest SDAT/DAT
Archived PC Alerts1999-2002

W32/MyWife.d@MM!M24
(aka Blackworm)
Jan. 26, 2006

Platform: Windows 95/98/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4682 (released 1/25/2006)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_138027.htm
http://www.sophos.com/virusinfo/analyses/w32nyxemd.html (Sophos)
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html (Symantec)
http://isc.sans.org/blackworm (SANS ISC)
Symantec Blackmal removal tool

Be on the alert for a new worm being called Blackworm, that spreads via email attachments or file shares. The email claims to contain obscene pictures and sex movies. The threat is rated low by McAfee but has been receiving some press lately.

It has a data destroying payload set to trigger on February 3rd (and the 3rd of any month). Blackworm destroys DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP files by replacing their contents with the string:

DATA Error [47 0F 94 93 F4 K5]

Blackworm is also called W32/MyWife.d@MM!M24 (McAfee), W32/Nyxem-D (Sophos) and W32.Blackmal.e@mm (Symantec). It has been assigned CME-24. See http://cme.mitre.org/ for other aliases for Blackworm.

Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

The worm also:

Turns off anti-virus applications
Sends itself to email addresses found on the infected computer
Deletes files off the computer
Forges the sender's email address
Uses its own emailing engine
Downloads code from the internet
Reduces system security
Installs itself in the Registry

WHAT TO DO

McAfee released DAT files to detect this threat. It is very important to keep your anti-virus DAT files current, as updates/enhancements are released daily. You will need McAfee DAT 4682 (released 1/25/06) or later to detect W32/Mywife.d@MM!M24.

It is advised that you update your DAT files to the current version, scan all files on your local hard drives, and ensure that your fileshares have strong passwords. Disable filesharing, if not needed.

EMAIL COMPONENT

The worm arrives via email with a spoofed FROM address and a PIF or a MIME-encoded attachment.

SUBJECT: includes one of the following or may be blank

Photos
My photos
School girl fantasies gone bad
Part 1 of 6 Video clipe
*Hot Movie*
Re:
Fw: Picturs
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Fw:
Fwd: Crazy illegal Sex!
Fw: Real show
Fw: SeX.mpg
Fw: DSC-00465.jpg
Re: Sex Video
Word file
the file
eBook.pdf
Miss Lebanon 2006
A Great Video
give me a kiss

BODY: (varies, such as)

Note: forwarded message attached.
You Must View This Videoclip!
>> forwarded message
i just any one see my photos.
forwarded message attached.
Please see the file.
----- forwarded message -----
The Best Videoclip Ever
Hot XXX Yahoo Groups
F***in Kama Sutra pics
ready to be F***ED ;)
VIDEOS! FREE! (US$ 0,00)
It's Free :)
hello,
i send the file.
bye
hi
i send the details
i attached the details.
how are you?
What?
Thank you
i send the details.
OK ?

ATTACHMENT: may either be an executable itself or a MIME-encoded file which contains the executable.

The executable filename is one of the following:

04.pif
007.pif
School.pif
photo.pif
DSC-00465.Pif
Arab sex DSC-00465.jpg
image04.pif
677.pif
DSC-00465.pIf
New_Document_file.pif
eBook.PIF
document.pif

The MIME-encoded filename is one of the following:

SeX.mim
Sex.mim
WinZip.BHX
3.92315089702606E02.UUE
Attachments[001].B64
eBook.Uu
Word_Document.hqx
Word_Document.uu
Attachments00.HQX
Attachments001.BHX
Video_part.mim

W32/Mywife.d copies itself with some of the following filenames:

< Windows>\Rundll16.exe
< System>\scanregw.exe
< System>\Winzip.exe
< System>\Update.exe
< System>\WinZip_Tmp.exe
< System>\New WinZip File.exe
movies.exe
Zipped Files.exe

NETWORK SHARE COMPONENT

The worm will attempt to copy itself to the following shares, using the current user's authentication:

C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
Admin$\winzip_tmp.exe
C$\winzip_tmp.exe

The worm creates scheduled tasks to run winzip_tmp.exe during the 59th minute of every hour.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/Sober@MM!M681
(aka W32/Sober-Z (Sophos))
November 23, 2005

Platform: Windows 95/98/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4635 (released 11/23/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_137072.htm
http://www.sophos.com/virusinfo/analyses/w32soberz.html (Sophos)
Stinger removal tool (v2.5.9, 11/22/05)

As reported yesterday, a new Sober email virus variant is circulating around the Internet with a spoofed FROM address (examples reported include hostmaster@hawaii.edu, postman@hawaii.edu, admin@yahoo.com, admin@cia.gov) and a ZIP attachment.

McAfee has raised the risk threat to MEDIUM to due increased prevalence. Please update your McAfee DAT to 4635 (released 11/23/05) to detect this threat.

The Stinger removal tool (v2.5.9, renamed stng259.exe) has been updated (11/22/05) to detect this threat. Download Stinger from http://vil.nai.com/vil/stinger/ and run it if you suspect that your computer has been infected.

The attachment is one of the following:

reg_pass-data.zip
reg_pass.zip
question_list.zip
mailtext.zip
mail_body.zip
mail.zip
list.zip
email_text.zip

Here are samples of the Sober virus email:

Subject: hi, ive a new mail address
Body:
hey its me, my old address dont work at time. i dont know why?!
in the last days ive got some mails. i' think thaz your mails but im not
sure!

plz read and check ...
cyaaaaaaa

Subject: Registration Confirmation
or
Subject: Your Password
Body: Account and Password Information are attached!

Subject: Paris Hilton & Nicole Richie
Body:
The Simple Life:
View Paris Hilton & Nicole Richie video clips , pictures & more ;)
Download is free until Jan, 2006!

Please use our Download manager.

Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.
Yours faithfully,
Steven Allison

++++ Central Intelligence Agency -CIA-
++++ Office of Public Affairs
++++ Washington, D.C. 20505

++++ phone: (703) 482-0623
++++ 7:00 a.m. to 5:00 p.m., US Eastern time

Subject: You visit illegal websites
Body:
Dear Sir/Madam,

we have logged your IP-address on more than 30 illegal Websites.

Important:
Please answer our questions!
The list of questions are attached.

Yours faithfully,
Steven Allison

*** Federal Bureau of Investigation -FBI-
*** 935 Pennsylvania Avenue, NW, Room 3220
*** Washington, DC 20535
*** phone: (202) 324-3000

Subject: Registration_Confirmation
Body:
Protected message is attached!

***** Go to: http://www.your_domain
***** Email: postman@your_domain

The virus also sends email messages in German.

When the attachment is opened, a fake error message "error in packed header" is displayed. The virus creates a directory, WinSecurity, in %Windir%, the default Windows directory (c:\windows or c:\winnt). It copies itself as the following files:

%Windir%\csrss.exe
%Windir%\WinSecurity\services.exe
%Windir%\WinSecurity\smss.exe

It creates MIME-encoded .ZIP files that contain a copy of the worm:

%Windir%\WinSecurity\socket1.ifo
%Windir%\WinSecurity\socket2.ifo
%Windir%\WinSecurity\socket3.ifo

It creates other non-malicious files in %Windir%\WinSecurity and %System%, the default System directory (c:\windows\system for Win95/98/ME, c:\Winnt\System32 for WinNT/2000, c:\Windows\System32 for WinXP).

Two registry keys are created to load the worm on startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_Windows" = C:\WINDOWS\WinSecurity\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run " Windows" = C:\WINDOWS\WinSecurity\services.exe

It gathers email addresses from files on the infected computer and attempts to terminate processes including McAfee's Stinger removal tool. See virus description for the list of processes.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/Bagle.ck
(aka Troj/BagleDL-U (Sophos))
September 19, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4585 (released 9/19/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_136039.htm
http://www.sophos.com/virusinfo/analyses/trojbagledlu.html (Sophos)

A new Bagle variant was mass spammed today. It arrives via email as a .ZIP attachment with filename including the word "price" (price.zip, price2.zip, newprice.zip, 09_price.zip, etc.). Other similar Bagel variants were also mass spammed today.

This variant copies itself to the Windows system folder (c:\windows\system32, c:\winnt\system32, c:\windows\system) as WINSHOST.EXE and adds the following registry hooks:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "winshost.exe" = C:\WINDOWS\System32\winshost.exe
HKEY_CURRENT_USER\Software\FirstRun (infection marker)

It drops a file wiwshost.exe in the system directory. This file gets injected into the EXPLORER process and tries to download a file osa6.gif from various sites.

It attempts to terminate processes and services and to delete registry entries related to security and antivirus programs.

It overwrites the HOSTS file with the following single line, overwriting any settings:

127.0.0.1 localhost

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/IRCbot.worm!MS05-039
(aka W32.Zotob.E (Symantec), W32/Tpbot-A (Sophos))
August 16, 2005

Platform: Windows 2000
Risk Assessment: High
Minimum VirusScan DAT: 4560 (released 8/16/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135491.htm
Stinger removal tool: v2.5.6 (8/16/05)

The W32/IRCbot.worm!MS05-039 spreads via IRC (Internet Relay Chat) and via the network by exploiting Windows systems unpatched for the MS05-039 Plug and Play (PnP) vulnerability.

You must patch your Windows system or your system will get reinfected! There are many worms exploiting the MS05-039 PnP vulnerability. (See War of the Worms).

To Patch Your Windows System

Open Internet Explorer and go to http://windowsupdate.microsoft.com and install all critical updates.

If you are having problems with the windowsupdate site, download the MS05-039 patch from:

http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx

Be sure to click on the right link for your operating system.

You may use the Stinger removal tool (dated 8/16/05) to scan your hard drive for this worm. Remember patch first, update your DAT and then scan your hard drive.

The worm can run on, but not infect, computers running Windows 95/98/ME/NT4/XP. Although these operating systems can not be infected, they can still be used to infect vulnerable computers that they connect to.

The worm is designed to contact a remote IRC server and wait for further instructions from the hacker.

When the file is run the virus copies itself in the Windows System directory as wintbp.exe. The file can be run automatically by exploiting the MS05-039 vulnerability or by a hacker directly executing the worm.

Registry keys are created to load the worm at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "wintbp.exe" = wintbp.exe

The infected computer scans the network for Windows computers unpatched for the MS05-039 vulnerability on tcp port 445. When a vulnerable system is found, it uses a buffer overflow to write the worm to the computer via a TFTP upload on port 8594.

The infected computer may become unstable and reboot.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/Zotob-A and W32/Zotob-B (Sophos)
(aka W32/Zotob.worm)
August 15, 2005

Platform: Windows 2000
Risk Assessment: Low
Minimum VirusScan DAT: 4558 (released 8/15/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135433.htm
http://www.sophos.com/virusinfo/analyses/w32zotoba.html (Sophos)
http://www.sophos.com/virusinfo/analyses/w32zotobb.html (Sophos)
http://www.f-secure.com/v-descs/zotob_a.shtml (F-Secure)
http://www.f-secure.com/v-descs/zotob_b.shtml (F-Secure)

The W32/Zotob-A worm exploits the MS05-039 plug and play vulnerability (KB899588); the security bulletin was issued by Microsoft on August 9, 2005. Details and patches are available at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx. A remote attacker could exploit the vulnerability and take complete control of the affected system. Windows 2000 systems are primarily at risk.

Note: All Windows systems should be updated with the latest round of Windows patches released by Microsoft on August 9, 2005. Open Internet Explorer and go to http://windowsupdate.microsoft.com. Apply all critical patches.

W32/Zotob-A spreads via the network by scanning for vulnerable unpatched systems on destination tcp port 445, exploiting buffer overflow vulnerabilities, including LSASS (MS04-011) and PnP (MS05-039). It runs continuously in the background. It provides a backdoor server allowing a remote hacker to gain access and control over the computer.

Spreading using Plug and Play service vulnerability
(From F-Secure http://www.f-secure.com/v-descs/zotob_a.shtml)

The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445.

It creates 300 threads that connect to random IP addresses within the B-class (255.255.0.0) network of the infected system. First it tests connection to port 445 and if successful, it tries to exploit the vulnerability. If the attack is successful a shell (cmd.exe) is started on port 8888. Through the shell port, the worm sends a ftp script which instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk.

Here's the summary of the ports used in attack:

Port 445 - The worm scans for systems vulnerable to PnP exploit through this port

Port 33333 - FTP server port on infected systems

Port 8888 - The command shell port opened by the exploit code

The exploit uses fixed offsets inside Windows 2000 version of umpnpmgr.dll. This means that only Windows 2000 systems (SP0-4) are affected.
-------------------------------
When first run W32/Zotob-A copies itself to %System%\botzor.exe.

The following registry entries are created to run botzor.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
WINDOWS SYSTEM
botzor.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
WINDOWS SYSTEM
botzor.exe

W32/Zotob-A also sets the following registry entry

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

The worm may drop a file 2pac.txt. This is a text file that may be safely deleted.

W32/Zotob-A also appends the following to the system HOSTS file in order to prevent access to certain websites, including common security and antivirus websites.

W32/Zotob-B worm and backdoor Trojan is similar to W32/Zotob-A. When first run W32/Zotob-B copies itself to %System%\csm.exe and creates the following registry entries so as to auto-start:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
csm Win Updates
csm.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
csm Win Updates
csm.exe

W32/Zotob-B sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/SDbot.worm!MS05-039
August 15, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4558 (released 8/15/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135434.htm

August 15, 2005 9:15 am HST

We have received reports of several unpatched Windows systems on campus getting infected with the new variant W32/Sdbot.worm!MS05-039. This worm exploits the MS05-039 plug and play vulnerability which was announced on August 9, 2005 by Microsoft.

Please update your McAfee VirusScan DAT to 4558 as soon as possible. Use "Update Now" command.

Go to http://windowsupdate.microsoft.com using Internet Explorer and apply all critical windows patches. You must patch your system. Technical details and patch for the MS05-039 plug and play vulnerability is avaialable at http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx .

This worm and the W32/Zotob worms scan the network for unpatched systems to exploit the MS05-039 plug and play vulnerability.

Method of Infection
This threat can be instructed to scan for MS05-039 exploitable systems. When a vulnerable system is found, buffer overflow and shellcode is sent to the remote system, creating an FTP script and launching FTP.EXE to download and execute the worm from the source system.

If you suspect that your system has been infected (e.g. system shuts down and restarts by itself), please patch your Windows system, update your VirusScan DAT to 4558 and scan your hard drive. You may get a "buffer overflow protection" error message in VirusScan.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call toll free from neighbor islands (800) 558-2669.

W32/Mytob-DY (Sophos)
(aka W32/Mytob.eu@MM)
August 3, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4549 (released 8/3/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_135062.htm
http://www.sophos.com/virusinfo/analyses/w32mytobdy.html

August 3, 2005 11:30 am HST

Word of caution... A new variant of W32/Mytob-DY (Sophos) or W32/Mytob.eu@MM (McAfee) may be circulating on campus with a spoofed @hawaii.edu FROM address, e.g. register@hawaii.edu and an attachment. This email may claim that there is a problem with your email account or that you have successfully changed your password.

If you receive suspicious email, do NOT open the attachment. Please DELETE the messages.

The UH mail server (mail.hawaii.edu) is currently scanning for this threat. McAfee VirusScan (DAT 4548 and higher) detects the attachment as Generic Malware.a!.zip.

W32/Mytob-DY spreads via email with a spoofed FROM: address and attachment. It turns off anti-virus applications, allows hackers to access the computer, and mass mails itself to email addresses found on the infected computer.

FROM: (spoofed)

SUBJECT: (one of the following)

Your Account is Suspended
*DETECTED* Online User Violation
Your Account is Suspended For Security Reasons
Warning Message: Your services near to be closed.
Important Notification
Members Support
Security measures
Email Account Suspension
Notice of account limitation
Your password has been updated
Your password has been successfully updated
You have successfully updated your password
Your new account password is approved

MESSAGE TEXT: (one of the following)

Dear user [str],
You have successfully updated the password of your [str] account.
If you did not authorize this change or if you need assistance with your account, please contact [str] customer service at: [str]
Thank you for using [str]!
The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]

Dear user [str],
It has come to our attention that your [str] User Profile ( x ) records are out of date. For further details see the attached document.
Thank you for using [str]!
The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]

Dear [str] Member,
We have temporarily suspended your email account [str].
This might be due to either of the following reasons:
1. A recent change in your personal information (i.e. change of address).
2. Submiting invalid information during the initial sign up process.
3. An innability to accurately verify your selected option of subscription due to an internal error within our processors.
See the details to reactivate your [str] account.
Sincerely,The [str] Support Team
+++ Attachment: No Virus (Clean)
+++ [str] Antivirus - www.[str]

Dear [str] Member,
Your e-mail account was used to send a huge amount of unsolicited spam messages during the recent week. If you could please take 5-10 minutes out of your online experience and confirm the attached document so you will not run into any future problems with the online service. If you choose to ignore our request, you leave us no choice but to cancel your membership.
Virtually yours,
The [str] Support Team
+++ Attachment: No Virus found
+++ [str] Antivirus - www.[str]

In the above message text [str] would be replaced with text from the user's email address.

ATTACHMENT: (one of the following base file names with file extension CMD, PIF, SCR, EXE or ZIP; the worm may create a double extension with a DOC, TXT or HTM first extension and a final extension of BAT, CMD, PIF, SCR, EXE or ZIP)

accepted-password
account-details
account-info
account-password
account-report
approved-password
document
email-details
email-password
important-details
new-password
password
readme
updated-password

Here is an example of the W32/Mytob-DY email:

Date: Wed, 03 Aug 2005 08:49:37 -0300
From: register@hawaii.edu <==== this is spoofed; not a valid UH username
To: uhusername@hawaii.edu
Subject: Your password has been successfully updated

Dear user uhusername,

You have successfully updated the password of your Hawaii account.

If you did not authorize this change or if you need assistance with your account, please contact Hawaii customer service at: register@hawaii.edu

Thank you for using Hawaii!
The Hawaii Support Team

+++ Attachment: No Virus (Clean)
+++ Hawaii Antivirus - www.hawaii.edu

Attachment: accepted-password.zip (58KB)

When run, W32/Mytob-DY copies itself to the Windows system folder as raloded.exe and sets the following registry entries in order to run each time a user logs on:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Msn Service
raloded.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
Msn Service
raloded.exe

W32/Mytob-DY sets the following registry entries, disabling the automatic startup of other software:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess
Start
4

W32/Mytob-DY modifies the HOSTS file changing IP-to-URL mappings for selected websites, including security websites, to point to the local machine. This prevents normal access to these websites.

If you have questions or need assistance, please contact the ITS Help Desk at (808) 956-8883, email help@hawaii.edu, or call toll free from the neighbor islands at (800) 558-2669.

W32/Mytob-AZ (Sophos)
(aka W32/Sober.aw@MM)
May 16, 2005

Platform: Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Low
Minimum VirusScan DAT: 4492 (released 5/16/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_133762.htm
http://www.sophos.com/virusinfo/analyses/w32mytobaz.html

May 16, 2005 5:00 pm HST

A new variant of the W32/Mytob mass-mailing worm and backdoor Trojan has been seen circulating on campus, spoofing FROM address Mail@hawaii.edu. It claims to be a problem with your email account. Please do not open suspicious email with attachments with ZIP, EXE, PIF, SCR or CMD extensions.

The UH mail server (mail.hawaii.edu) is scanning for this virus. Information is sparse at the McAfee website. The latest DAT 4492 is presumed to detect this variant (believed to be named W32/Mytob.aw@MM by McAfee). The UH repositories have been updated with DAT 4492. Please update your McAfee VirusScan DAT file as soon as possible, using the manual "Update Now" procedure (see http://www.hawaii.edu/antivirus/howtoupdate.html for instructions). Details will be posted as anti-virus vendor websites are updated.

Virus Description:(from the Sophos website)

The virus allows a remote hacker to gain access and control over the infected computer via IRC channels. It modifies the HOSTS file, changing the URL to IP mappings for selected websites, thus preventing normal access to these sites.

The virus is spread via mass emailing with the following characteristics:

FROM: (spoofed)

SUBJECT: (one of following)

*IMPORTANT* Please Validate Your Email Account
*IMPORTANT* Your Email Account Has Been Locked
Email Account Suspension
Your Email Account is Suspended For Security Reasons
Security Measures
Notice:***Your email account will be suspended***
Your email account access is restricted
Notie:***Last Warning***

MESSAGE TEXT: (one of following)

"To safeguard your email account from possible termination, please see the attached file."
"Once you have completed the form in the attached file , your account records will not be interrupted and will continue as normal."
"We have suspended some of your email services, to resolve the problem you should read the attached document."
"please look at attached document."
"Account Information Are Attached!"
"Follow the instructions in the attachment."

ATTACHMENT: ZIP, EXE, PIF, SCR or CMD file extension with one of the following basenames:

email-text
document_full
information
info-text
Your_details
IMPORTANT
email-info
email-doc
INFO

Example of the W32/Mytob infected email detected on campus:

From: Mail@hawaii.edu (spoofed)
Subject: Notice:***Your email account will be suspended***

We have suspended some of your email services, to resolve the problem you should read the attached document.

Attachment:
(Name: "info-text.bat") 45KB

When first run W32/Mytob-AZ copies itself to Windows System directory as LienVandeKelder.exe.

W32/Mytob-AZ creates the following registry entries so that the worm is run when a user logs on to Windows:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run http://www.lienvandekelder.be "LienVandeKelder.exe"
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices http://www.lienvandekelder.be "LienVandeKelder.exe"

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Sober.p@MM
(aka W32/Sober-N, W32.Sober.O@mm)
May 2, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4482 (released 5/2/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_133409.htm
Stinger Removal Tool: v2.5.4 (5/2/05) (download filename has been renamed ST1NGER.EXE as Sober.p terminates "stinger" process names)

May 2, 2005 3:00 pm HST

McAfee has raised the threat level of W32/Sober.p@MM to medium due to increased prevalence. The UH repositories have been updated. Please update your VirusScan DAT to 4482 (released 5/2/05) as soon as possible. See instructions for manually updating your VirusScan DAT files.

This virus is also known as W32/Sober-N (Sophos) and W32.Sober.O@MM (Symantec).

Virus Description

This mass mailing email worm pretends to have information about your email account or password in a .ZIP attachment. It sends itself to addresses harvested from the infected computer. The email message is constructed in German or English, depending on the domain of the recipients' email address. Once infected, the worm attempts to contact various TIME servers on TCP port 37.

These are the characteristics of the email (English version):

From: (spoofed, faked)

Subject line: One of the following:

mailing error
Registration Confirmation
Your email was blocked
Your Password

Message text: One of the following:

This is an automatically generated E-Mail Delivery Status Notification.

Mail-Header, Mail-Body and Error Description are attached
(See attached file: < zip file name >)

Account and Password Information are attached!

Visit: < URL >

*** AntiVirus: No Virus found
*** "< vendor name >" Anti-Virus
*** < vendor url >
(See attached file: < zip file name >)

Account and Password Information are attached!

Visit: < URL >
(See attached file: < zip file name >)

Account and Password Information are attached!

Visit: < URL >

*** Server-AntiVirus: No Virus (Clean)
*** "< vendor name >" Anti-Virus
*** < vendor url >
(See attached file: < zip file name >)

ok ok ok,,,,, here is it

*** AntiVirus: No Virus found
*** "< vendor name >" Anti-Virus
*** < vendor url >
(See attached file: < zip file name >)

Attached file: One of the following:

mail_info.zip
account_info.zip
our_secret.zip

The attached filenames may contain an optional prefix "error-" or an optional suffix "-text" followed by the ZIP file extension.

The ZIP file will contain an executable file named Winzipped-Text_Data.txt< many spaces >.pif. This is an attempt to trick the recipient into clicking on a presumably safe text file.

When the ZIP file is extracted and the PIF file is manually executed, the virus may display a fake error message:

The worm copies itself to a newly created directory in the WINDOWS directory and creates registry run keys to load itself at system startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Run "_WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run " WinStart" = C:\WINDOWS\Connection Wizard\Status\services.exe

File Symptoms

The following files are created:

c:\WINDOWS\Connection Wizard\Status\fastso.ber
c:\WINDOWS\system32\adcmmmmq.hjg
c:\WINDOWS\system32\langeinf.lin
c:\WINDOWS\system32\nonrunso.ber
c:\WINDOWS\system32\seppelmx.smx
c:\WINDOWS\system32\xcvfpokd.tqa

The following files are MIME encoded versions of the worm in a ZIP file:

c:\WINDOWS\Connection Wizard\Status\packed1.sbr
c:\WINDOWS\Connection Wizard\Status\packed2.sbr
c:\WINDOWS\Connection Wizard\Status\packed3.sbr

The following files contain email related data (such as domain names)

c:\WINDOWS\Connection Wizard\Status\sacri1.ggg
c:\WINDOWS\Connection Wizard\Status\sacri2.ggg
c:\WINDOWS\Connection Wizard\Status\sacri3.ggg
c:\WINDOWS\Connection Wizard\Status\voner1.von
c:\WINDOWS\Connection Wizard\Status\voner2.von
c:\WINDOWS\Connection Wizard\Status\voner3.von

The following files are copies of the worm:

c:\WINDOWS\Connection Wizard\Status\csrss.exe
c:\WINDOWS\Connection Wizard\Status\services.exe
c:\WINDOWS\Connection Wizard\Status\smss.exe

Note: there are legitimate Windows files named csrss.exe, services.exe, and smss.exe in the c:\Windows\system32 directory.

Once the computer is infected, the antivirus scanner will not be able to detect the file (read-access to the file may be denied). If you suspect that your computer is infected, you will need to reboot into Safe Mode. Make sure your DAT is updated to 4482 and run a full scan of your hard drive. Delete files flagged as infected. Restart the computer in normal mode.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Bagle.dldr
(aka Trojan.Tooso.B, Troj/BagleDI-L)
March 1, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4437 (released 3/1/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_129512.htm

March 1, 2005 12:15 pm HST

McAfee has raised the risk level of W32/Bagle.dldr to medium because of increased prevalence. DAT 4437 has been released early to detect this threat. The UH repositories have been updated. Please update your VirusScan DAT by manually running "Update Now" (instructions are at http://www.hawaii.edu/antivirus/howtoupdate.html ).

New variants of this Bagle downloader have been mass-spammed in the last 12 hours. These variants are not known at present to be dropped by any mass-mailing Bagle variants, and these variants do not mass-mail themselves.

This trojan downloader attempts to download and execute a file from several remote websites into %Windows%\_re_file.exe. It attempts to disable services and delete registry keys related to security applications such as antivirus and firewall software, to rename files belonging to security applications (so they no longer run), and to block access to security-related websites by changing the Windows HOSTS file to the loopback address 127.0.0.1.

Outgoing TCP connections to port 80 (HTTP) are established and it tries to download a file from a very long list of websites (some may be decoys). Malware is downloaded and executed by some Bagle variants:

This variant copies itself to the default Windows System directory %WinDir% \system32 as WINSHOST.EXE (34,304 bytes) and adds the following registry hooks:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ DownloadManager
HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "winshost.exe" = %WinDir% \system32\winshost.exe

It drops a file wiwshost.exe (18,944 bytes), which is detected by 4333DATs and above as W32/Bagle.dll.gen. This file gets injected into the EXPLORER process and tries to download a file zo2.jpg from various sites. It also terminates security services like its predecessors and in some cases renames the main security program executable.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Mydoom.be@MM
February 22, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4431 (released 2/21/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131868.htm
Stinger removal tool (v2.5.2, 2/21/05)

W32/Mydoom.be@MM is similar to previous variants of Mydoom.

Virus Description:

W32/Mydoom.be@MM is a mass mailing email worm with these characteristics:

has its own SMTP engine to construct messages
harvests email addresses from the victim's computer
- DOC, TXT, HTM, and HTML files
- addresses from active Outlook windows
queries lycos, altavista, yahoo and google search engines for email addresses
spoofs the FROM address (pretends to be sent from an email address and may appear to be a system message or bounced email message from the Postmaster)
downloads the BackDoor-CEB.f trojan
opens various TCP ports on the victim computer

W32/Mydoom.be@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)

mailer-daemon@(target_domain)
noreply@(target_domain)
postmaster@(target_domain)

with display names (one of the following):

"Postmaster"
"Mail Administrator"
"Automatic Email Delivery Software"
"Post Office"
"The Post Office"
"Bounced mail"
"Returned mail"
"MAILER-DAEMON"
"Mail Delivery Subsystem"

SUBJECT: (one of the following):

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

BODY: message is blank or may be similar to the following:

Dear user of [target domain],

Your account has been used to send a huge amount of unsolicited email during the recent week.
Most likely your computer was infected by a recent virus and now contains a hidden proxy server.

We recommend that you follow instructions in order to keep your computer safe.

Have a nice day,
[target domain] support team

Dear user of [target domain]

We have received reports that your account was
used to send a large amount of junk email messages
during the last week.
Probably, your computer had been compromised and
now contains a hidden proxy server.

Please follow the instruction in the attached file
in order to keep your computer safe.

Have a nice day,
[domain] user support team.

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: may be the target email address, e.g. user@hawaii.edu, or one of the following filenames:

README
INSTRUCTION
TRANSCRIPT
MAIL
LETTER
FILE
TEXT
ATTACHMENT
DOCUMENT
MESSAGE

with an optional extension of DOC, TXT, HTM, HTML followed by a number of spaces and a final extension of EXE, COM, BAT, CMD, SCR or PIF. The attached file may also be a ZIP file (file may be doubly ZIPped) containing a file named as described.

The virus queries four search engines to harvest addresses returned from those queries:

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

The virus also harvests email addresses from any Outlook window that is active on the victim computer.

The virus attempts to download the backdoor trojan, BackDoor-CEB.f, from the following websites:

www.aartanridge.org.uk/YaBBImages/(neutered).gif
www.eastcoastchoons.co.uk/4play/(neutered) .JPG
www.foxalpha.com/charte/(neutered).jpg
www.ribaforada.net/banners/(neutered) .gif
www.sundayriders.co.uk/images/(neutered).gif
www.hooping.org/archives/(neutered).JPG
www.imogenheap.co.uk/iblog/(neutered).jpg
www.newgenerationcomics.net/banner/(neutered).jpg
ics.net/banner/(neutered).jpg <== not on W32/Mydoom.bd@MM

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

Various TCP ports are opened on the victim machine by the SERVICES.EXE process to listen for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Bropia.worm.p
February 18, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4430 (released 2/18/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131862.htm

W32/Bropia.worm.p spreads through MSN messenger. The user must manually run the attachment in order to get infected. However, unlike previous variants it does not drop the W32/Sdbot.worm.gen worm.

The worm drops a copy of itself into the C:\ directory using any of the following filenames:

c:\Beautiful A**.pif
c:\John Kerry as Super Chicken.scr
c:\Kool.pif
c:\Me & you pic!.pif
c:\Me P***ed!.pif
c:\sexy.pif
c:\She Could Fit her A** in a Teacup.pif
c:\she's f***in fit.pif
c:\titanic2.jpg.pif

(* replaces text)

A copy of the worm is dropped in %SysDir% as Isass.exe, where %SysDir% is either C:\Windows\System32 or C:\WinNT\System32.

The following registry key is hooked to run the worm at startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\Run "Isass" = %SysDir% \Isass.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows \CurrentVersion\RunServices "Isass" = %SysDir% \Isass.exe

The worm creates a mutex object on the infected machine using the name:

.:*-F*k-U-*:.

The following processes are disabled on the victim's machine to prevent the user from manually stopping and removing the worm:

Regedit.exe - registry editor
Mstask.exe - task manager
Msconfig.exe - configuration manager

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Mydoom.bd@MM
February 18, 2005

W32/Mydoom.bd@MM is similar to other variants of Mydoom.

Virus Description:

W32/Mydoom.bd@MM is a mass mailing email worm with these characteristics:

has its own SMTP engine to constructs messages
harvests email addresses from the victim computer
spoofs the FROM address
downloads the BackDoor-CEB.f trojan
opens various TCP ports on the victim computer

W32/Mydoom.bd@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)

mailer-daemon@(target_domain)
noreply@(target_domain)
postmaster@(target_domain)

with display names (one of the following):

"Postmaster"
"Mail Administrator"
"Automatic Email Delivery Software"
"Post Office"
"The Post Office"
"Bounced mail"
"Returned mail"
"MAILER-DAEMON"
"Mail Delivery Subsystem"

SUBJECT: (one of the following):

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

BODY: message is blank or may be similar to the following:

Dear user of [target domain]

We have received reports that your account was
used to send a large amount of junk email messages
during the last week.
Probably, your computer had been compromised and
now contains a hidden proxy server.

Please follow the instruction in the attached file
in order to keep your computer safe.

Have a nice day,
[domain] user support team.

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: may be an EXE file extension with one of the following extensions:

It may also have the ZIP file extension and may be doubly ZIPped, e.g. a ZIPped file within a ZIP.

The attachment may use the target email address as the filename, in addition to one of the following filenames:

readme
instruction
transcript
mail
letter
file
text
attachment
document
message

The attachment may use a double extension and there may be multiple spaces between the file extensions to deceive users.

The virus harvests email addresses from .DOC, .TXT, .HTM, and .HTML files on the victim computer.

The virus queries four search engines to harvest addresses returned from those queries:

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

www.aartanridge.org.uk/YaBBImages/(neutered).gif <== not on W32/Mydoom.bc@MM
www.eastcoastchoons.co.uk/4play/(neutered) .JPG
www.foxalpha.com/charte/(neutered).jpg
www.ribaforada.net/banners/(neutered) .gif
www.sundayriders.co.uk/images/(neutered).gif
www.foxalpha.com/charte/(neutered).jpg
www.hooping.org/archives/(neutered).JPG
www.imogenheap.co.uk/iblog/(neutered).jpg
www.newgenerationcomics.net/banner/(neutered).jpg

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

W32/Mydoom.bc@MM
February 18, 2005

W32/Mydoom.bc@MM is similar to other variants of Mydoom.

Virus Description:

W32/Mydoom.bc@MM is a mass mailing email worm with these characteristics:

has its own SMTP engine to constructs messages
harvests email addresses from the victim computer
spoofs the FROM address
downloads the BackDoor-CEB.f trojan
opens various TCP ports on the victim computer

W32/Mydoom.bc@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)

mailer-daemon@(target_domain)
noreply@(target_domain)
postmaster@(target_domain)

with display names (one of the following):

"Postmaster"
"Mail Administrator"
"Automatic Email Delivery Software"
"Post Office"
"The Post Office"
"Bounced mail"
"Returned mail"
"MAILER-DAEMON"
"Mail Delivery Subsystem"

SUBJECT: (one of the following):

hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

BODY: message is blank or may be similar to the following:

Dear user of [target domain]
We have received reports that your account was
used to send a large amount of junk email messages
during the last week.
Probably, your computer had been compromised and
now contains a hidden proxy server.

Please follow the instruction in the attached file
in order to keep your computer safe.

Have a nice day,
[domain] user support team.

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND

The message was undeliverable due to the following reason(s):
Your message was not delivered because the destination computer was not reachable within the allowed queue period. The amount of time a message is queued before it is returned depends on local configuration parameters.
Most likely there is a network problem that prevented delivery, but it is also possible that the computer is turned off, or does not have a mail system running right now. Your message was not delivered within [number] days:

Mail server is not responding

The following recipients did not receive this message:
[address]
Please reply to postmaster@[domain]
if you feel this message to be in error.

ATTACHMENT: may be an EXE file extension with one of the following extensions:

readme
instruction
transcript
mail
letter
file
text
attachment
document
message

http://search.lycos.com
http://www.altavista.com
http://search.yahoo.com
http://www.google.com

www.eastcoastchoons.co.uk/4play/(neutered) .JPG
www.foxalpha.com/charte/(neutered).jpg
www.ribaforada.net/banners/(neutered) .gif
www.sundayriders.co.uk/images/(neutered).gif
www.foxalpha.com/charte/(neutered).jpg
www.hooping.org/archives/(neutered).JPG
www.imogenheap.co.uk/iblog/(neutered).jpg
www.newgenerationcomics.net/banner/(neutered).jpg

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

W32/Mydoom.bb@MM
(aka W32/MyDoom-o)
February 16, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4429 (to be released 2/16/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131856.htm

Feb. 16, 2005 2:45 pm HST

There's a new Mydoom email virus circulating on campus. W32/Mydoom.bb@MM appears to be from the mail administrator or a bounced email message and arrives with a spoofed FROM address and attachment with .ZIP, .EXE, .COM, .SCR, .PIF, .BAT or .CMD extensions. The UH mail server (mail.hawaii.edu) is blocking this virus.

McAfee VirusScan DAT 4429 (to be released 2/16/05) is required to detect this virus. Please delete messages matching this description and do NOT open any attachments. We will notify you when we receive DAT 4429 and update the UH repositories.

Virus Description:

W32/Mydoom.bb@MM is a mass mailing email worm with these characteristics:

has its own SMTP engine to constructs messages
harvests email addresses from the victim computer
spoofs the FROM address
contains a P2P (peer-to-peer) routine
downloads the BackDoor-CEB.f trojan
TCP port 1034 is opened on the victim computer

W32/Mydoom.bb@MM arrives via email with the following characteristics:

FROM: (spoofed; made to appear like a system message or a bounced email message)

mailer-daemon@(target_domain)
noreply@(target_domain)
postmaster@(target_domain)

with display names (one of the following):

"Postmaster"
"Mail Administrator"
"Automatic Email Delivery Software"
"Post Office"
"The Post Office"
"Bounced mail"
"Returned mail"
"MAILER-DAEMON"
"Mail Delivery Subsystem"

SUBJECT: (one of the following):

delivered
hello
hi
error
status
test
report
delivery failed
Message could not be delivered
Mail System Error - Returned Mail
Delivery reports about your e-mail
Returned mail: see transcript for details
Returned mail: Data format error

BODY: message is blank or may be similar to the following:

Dear user of [target domain]
Mail server administrator of [domain] would like to inform you that We have detected that your e-mail account has been used to send a large amount of unsolicited e-mail messages during this recent week.
We suspect that your computer had been compromised by a recent virus and now runs a trojan proxy server.
Please follow our instructions in the attachment file in order to keep your computer safe.
Virtually yours
[domain] user support team.

The message could not be delivered

The original message was included as attachment

The original message was received at [date & time] from [IP address]
----- The following addresses had permanent fatal errors -----
[email address]
----- Transcript of the session follows -----
... while talking to host [hostname]:
>>> MAIL From:[IP address]
<<< 501 User unknown
Session aborted
>>> RCPT To:[email address]
<<< 550 MAILBOX NOT FOUND

readme
instruction
transcript
mail
letter
file
text
attachment
document
message

The filename may have an optional extension of .DOC, .TXT, .HTM, .HTML and a final extension of .ZIP, .EXE, .COM, .BAT, .CMD, .SCR or .PIF.

The virus copies itself to folders containing the strings:

USERPROFILE
yahoo.com

Upon execution on the victim machine, the worm installs itself as JAVA.EXE in the Windows directory. For example:

C:\WINDOWS\JAVA.EXE

It also drops the file SERVICES.EXE into this directory:

C:\WINDOWS\SERVICES.EXE

The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "JavaVM" = %WinDir%\JAVA.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion \Run "Services" = %WinDir%\SERVICES.EXE

The following Registry keys are also added:

HKEY_CURRENT_USER\Software\Microsoft\Daemon
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Daemon

TCP Port 1034 is opened on the victim machine by the SERVICES.EXE process and listens for incoming connections. This process also sends TCP network traffic from a highport of the infected machine, to randomly generated IP addresses on destination Port 1034. When another IP address is found to be infected with the backdoor, the IP address of that machine is encrypted and written to a file named zincite.log.

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Sober.k@MM
(aka W32.Sober.j@mm)
January 31, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4424 (released 1/31/2005)
Minimum VirusScan scan engine: 4.4.00
For more information: http://vil.nai.com/vil/content/v_131355.htm
Stinger removal tool (v2.4.9.2, 1/31/2005)

Jan. 31, 2005 9:30 am HST

McAfee has raised the risk of W32/Sober.k@MM (aka W32/Sober.j@mm) to medium due to increased prevalence. DAT 4424 has been released early to detect this threat. The UH repositories have been updated. Please update your VirusScan DAT to 4424 as soon as possible using "Update Now." Note: the new scan engine 4400 is required to delete and remove this virus.

Virus Description:

W32.Sober.k@MM is a mass mailing worm with the following characteristics:

written in German or English
FROM address is spoofed
ATTACHMENT: EMAIL_TEXT.ZIP or TEXT.ZIP (43KB)
The Zipped file contains the worm with filename MAIL_TEXT-INFO.TXT (many spaces) .PIF
When executed, Notepad opens an error message

The worm checks the country origin of the domain extension. If the domain extension is a German variant, the email message is sent in German; otherwise it is sent in English. The following is the English version of the W32/Sober.k@MM email:

From: (spoofed)
Subject: I've got YOUR email on my account!!
Body:
Hello,
First, Sorry for my very bad English!

Someone send your private mails on my email account! I think it's an Mail-Provider or SMTP error. Normally, I delete such emails immediately, but in the mail-text is a name & adress. I think it's your name and adress.

In the last 8 days i've got 7 mails in my mail-box, but the recipient are you, not me. lol

OK, I've copied all email text in the Windows Text-Editor and i've zipped the t ext file with WinZip. The sender of this mails is in the text file, too.

bye

Attachment:

EMAIL_TEXT.ZIP or
TEXT.ZIP

The ZIP archive contains a copy of the worm with the following filename:

MAIL_TEXT-INFO.TXT (many spaces) .PIF

Note: other anti-virus web sites indicate that the attachment may have other file extensions, including ZIP, PIF, SCR, BAT, COM or EXE.

The importance of the mail is set to "High" (this will only have an effect for certain mail clients).

The worm has a pool of strings which it uses to construct a random executable filename and registry keys for installing itself on the victim computer:

32
crypt
data
diag
dir
disc
expoler
host
log
run
service
smss32
spool
sys
win

The constructed filename always has a EXE file extension and consists of three strings from the pool of strings. The worm Writes itself to the default Windows System directory. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP). For example, SYSSPOOLDISC.EXE.

The worm adds the value:

"[random value name]" = "%System%\[random file name].exe"

to the registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion

so that the worm executes every time Windows starts.

Network Symptoms:

Symptoms indicating the worm's presence on a network include:

outgoing messages matching the characteristics described here
unexpected NTP traffic on TCP port 37
unexpected attempts to log into several GMX accounts (POP3)
unexpected outgoing DNS queries DNS servers on the internet to one or more of the following domains:
- microsoft.com
- bigfoot.com
- yahoo.com
- t-online.de
- google.com
- hotmail.com

If you need assistance, please contact the ITS Help Desk at 956-8883, email help@hawaii.edu or call (800) 558-2669 toll free from neighbor islands.

W32/Bagle.bj@MM, W32/Bagle.bk@MM
(aka W32.Beagle.az@mm)
January 27, 2005

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4423 (released 1/27/2005)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_131351.htm

Jan. 27, 2005 9:30 am HST

McAfee has released DAT 4423 early to detect a couple of new Bagle email viruses. W32/Bagle.bj@MM is rated MEDIUM due to increased prevalence and W32/Bagle.bk@MM (aka W32.Beagle.az@MM; very similar to W32/Bagle.bj@MM) is rated LOW.

W32/Bagle.bj@MM and W32/Bagle.bk are mass mailing and peer-to-peer worms with the following characteristics:

has its own SMTP engine to construct outgoing messages
harvests email addresses from the infected computer
FROM address is spoofed
ATTACHMENT has extension .EXE, SCR, .COM, or .CPL
terminates security and antivirus programs
makes changes to the registry
opens random TCP ports starting from port 2339 on the infected computer
creates infected files in folders containing phrase SHAR (often used in peer-to-peer filesharing programs)

Virus Description:

The Bagle viruses (both variants) arrive via email with these characteristics:

From : (address is spoofed)
Subject :

Delivery service mail
Delivery by mail
Registration is accepted
Is delivered mail
You are made active

Body Text:

Thanks for use of our software.
Before use read the help

Attachment: (may be one of the following, with an extension of .exe, .scr, .com, or .cpl)

wsd01
viupd02
siupd02
guupd02
zupd02
upd02
Jol03

The virus copies itself into the Windows System directory as sysformat.exe. For example:

* C:\WINNT\SYSTEM32\sysformat.exe

It also creates other files in this directory to perform its functions:

* C:\WINNT\SYSTEM32\sysformat.exeopen
* C:\WINNT\SYSTEM32\sysformat.exeopenopen

The following Registry key is added to hook system startup:

* HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "sysformat" = C:\WINNT\SYSTEM32\sysformat.exe Additionally, the following Registry keys are added:

* HKEY_CURRENT_USER\Software\Microsoft\Params "TimeKey" It deletes these values

"My AV"
"ICQ Net"

from the following Registry keys, if they are present:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run

A mutex is created to ensure only one instance of the worm is running at a time. One of the following mutex names is used in an attempt to stop particular variants of W32/Netsky running on the infected machine:

MuXxXxTENYKSDesignedAsTheFollowerOfSkynet-D
_-oO]xX|-S-k-y-N-e-t-|Xx[Oo-_

This worm attempts to terminate the process of security and antivirus programs. See McAfee article for complete list of filenames.

The virus contains a backdoor that can be used to run executable files sent to the infected computer.

The virus copies itself to folders on the infected computer that contain the phrase shar, copying itself with the following filenames:

1.exe
2.exe
3.exe
4.exe
5.scr
6.exe
7.exe
8.exe
9.exe
10.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

W32/Zafi.d@MM
(aka W32.Erkez.D@mm)
December 14, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4414 (released 12/14/2004)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_130371.htm

Dec. 14, 2004 9:00 am HST

McAfee released DAT 4414 early to detect new variant W32/Zafi.d@MM. The risk level of this virus has been raised to Medium due to increased prevalence. The UH repositories have been updated. Please update your VirusScan DAT to 4414 using the manual "Update Now" method as soon as possible.

W32/Zafi.d@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages
spoofs the FROM address
harvests email addresses from the victim machine
outgoing email messages are in various languages pretending to be a holiday greeting
spreads via P2P filesharing
shuts down security services like firewalls and antivirus products
opens TCP port 8181 on the infected system

W32/Zafi.d@MM is a mass mailing worm that pretends to be a holiday greeting in various languages. The FROM address is spoofed and comes with an attachment. Do not open attachments from unknown users and be very cautious when opening attachments from known users. For this virus, the recipient must open the attachment before getting infected.

From: (Spoofed)

Subject: (One of the following)

Merry Christmas!
boldog karacsony...
Feliz Navidad!
ecard.ru
Christmas Kort!
Christmas Vykort!
Christmas Postkort!
Christmas postikorti!
Christmas - Kartki!
Weihnachten card.
Prettige Kerstdagen!
Christmas pohlednice
Joyeux Noel!
Buon Natale!

Body Text: (One of the following)

Happy HollyDays! :) [Recipient]
Kellemes Unnepeket! :) [Recipient]
Feliz Navidad! :) [Recipient]
:) [Recipient]
Glaedelig Jul! :) [Recipient]
God Jul! :) [Recipient]
God Jul! :) [Recipient]
Iloista Joulua! :) [Recipient]
Naulieji Metai! :) [Recipient]
Wesolych Swiat! :) [Recipient]
Frhliche Weihnachten! :) [Recipient]
Prettige Kerstdagen! :) [Recipient]
Vesel Vnoce! :) [Recipient]
Joyeux Noel! :) [Recipient]
Buon Natale! :) [Recipient]

Attachment: (May be one of the following)

Link.postcard.christmas.htm
card.php2662.gif.cmd
postcard.php8583.zip

Here is an example of an email sent by the Zafi.d worm. The graphic and format of the email are the same in other languages.

The worm also spreads via P2P (peer-to-peer) filesharing by copying itself to directories on the c: drive with the phrase share, upload or music with following filenames:

winamp 5.7 new!.exe
ICQ 2005a new!.exe

The worm tries to shutdown security services like firewalls and antivirus software. It attempts to make programs reged, msconfig, and task unavailable, making virus detection and cleanup more difficult.

The worm drops the following files to the default windows System %windir%\system32 folder:

C:\WINNT\system32\ .EXE - 11,745 bytes
C:\WINNT\system32\
C:\WINNT\system32\Norton Update.exe - 11,745 bytes
C:\WINNT\system32\ .DLL - (worm zipped up)
C:\s.cm - 20,552 bytes (winzip dll module)

It creates a registry key, so the file gets executed every time the machine starts:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows \CurrentVersion\Run "Wxp4" = C:\WINDOWS\SYSTEM32\Norton Update.exe

It creates the following registry key to store information of the worm:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Wxp4

W32/Sober.j@MM
November 19, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4409 (released 11/19/2004)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_129531.htm
Stinger Removal Tool (v.2.4.4, 11/8/04)

Nov. 19, 2004 9:00 am HST

McAfee released DAT 4409 early to detect new variant W32/Sober.j@MM. McAfee has raised the risk level of another Mydoom variant, W32/Mydoom.ah@MM, to MEDIUM due to increased prevalence and released the full 4405 DAT early to detect both W32/Mydoom.ag@MM and W32/Mydoom.ah@MM variants. Both variants are similar.

The UH repositories have been updated. Please update your VirusScan DAT to 4409 using the manual "Update Now" method as soon as possible.

W32/Sober.j@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

queries DNS and NTP servers to see if infected machine is connected to internet

The worm attempts to connect to computers via TCP 37:

swisstime.ee.ethz.ch

ntp2.ien.it

ntp0-rz.rrze.uni-erlangen.de

FS1.ece.cmu.edu

ntp2.ptb.de

ntp-sop.inria.fr

lanczos.maths.tcd.ie

time-a.timefreq.bldrdoc.gov

india.colorado.edu

gnomon.cc.columbia.edu

metasweb01.admin.ch

vega.cbk.poznan.pl

time.nist.gov

time.nrc.ca

ns1.usg.edu

otc2.psu.edu

nist1.symmetricom.com

clock.xmission.com

sue.cc.uregina.ca

For DNS, the worm attempts to connect to computers via UDP53:

141.40.10.35

213.218.170.6

217.237.151.33

213.239.234.108

200.74.214.246

212.242.88.2

151.201.0.39

82.195.234.2

195.112.195.34

80.148.11.231

131.243.64.3

129.187.16.1

141.40.10.35

62.39.89.71

145.253.2.171

195.182.96.29

203.162.0.11

131.174.8.14

207.217.120.43

216.203.115.105

209.235.107.14

62.156.146.242

210.66.241.1

194.209.114.1

209.253.113.2

129.187.10.25

208.48.34.135

217.116.224.253

61.95.134.168

193.158.124.143

212.71.97.156

192.35.232.34

217.237.150.225

207.69.188.186

166.60.12.11

The worm queries those servers for these domain names:

microsoft.com

bigfoot.com

yahoo.com

t-online.de

google.com

hotmail.com

The worm copies itself twice to the system folder using a constructed filename. The filenames are built by combining the following strings and always end with ".exe"

sys

host

dir

expoler

win

run

log

disc

crypt

data

diag

spool

service

smss32

Body: various error messages
Attachment: attaches a copy of itself using a constructed filename.

The system is hooked to run the virus on start up by the following registry keys. (Note: filename and keys are constructed using the technique above)

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run "hostexpoler" Data: C:\WINNT\System32\datadiscwin.exe

HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run "wincryptx" Data: C:\WINNT\System32\cryptservice.exe %srun%

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "disccryptx" Data: C:\WINNT\System32\cryptservice.exe %srun%

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run "runsmss32" Data: C:\WINNT\System32\datadiscwin.exe

W32/Mydoom.ah@MM
November 8, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4405 (released 11/9/2004)
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_129531.htm
Stinger Removal Tool (v.2.4.4, 11/8/04)

Nov. 9, 2004 7:00 am HST

McAfee has raised the risk level of another Mydoom variant, W32/Mydoom.ah@MM, to MEDIUM due to increased prevalence and released the full 4405 DAT early to detect both W32/Mydoom.ag@MM and W32/Mydoom.ah@MM variants. Both variants are similar.

The UH repositories have been updated. Please update your VirusScan DAT to 4405 using the manual "Update Now" method as soon as possible. Note: you do NOT need to install the SUPER EXTRA.DAT (for W32/Mydoom.ag@MM), if you have not already done so.

Nov. 8, 2004 6:15 p.m. HST

There is a new MyDoom variant going around -- without an attachment -- exploiting the Internet Explorer IFRAME buffer overflow vulnerability. If you receive an email matching the following description, please DELETE it. Do not click on any links in the email!

From: Spoofed address
Subject: (case may vary)

hi!
hey!
Confirmation
blank

Body: (either PayPal or webcam message)

Congratulations! PayPal has successfully charged $175 to your credit card. Your order tracking number is A866DEC0, and your item will be shipped within three business days.

To see details please click this link.

DO NOT REPLY TO THIS MESSAGE VIA EMAIL! This email is being sent by an automated message system and the reply will not be received.

Thank you for using PayPal.

or

Hi! I am looking for new friends.

My name is Jane, I am from Miami, FL.

See my homepage with my weblog and last webcam photos!

See you!

or

Hi! I am looking for new friends. I am from Miami, FL. You can see my homepage with my last webcam photos!

The mail header may contain one of the following fields:

X-AntiVirus: scanned for viruses by AMaViS 0.2.1 (http://amavis.org/)
X-AntiVirus: Checked by Dr.Web (http://www.drweb.net)
X-AntiVirus: Checked for viruses by Gordano's AntiVirus Software

There is no attachment. When you click on the link or homepage hyperlink in the email, HTML code on the infected computer exploits the IE IFRAME buffer overflow vulnerability which automatically executes the virus. The hyperlink contains the IP address of the infected computer that sent the Mydoom email.

Infected systems will have Windows Explorer listening on TCP port 1639.

There is no patch for the Internet Explorer vulnerability (yet). Internet Explorer 6 running on Windows XP SP1 and Windows 2000 appear to be affected. Windows XP SP2 systems are not affected.

Sophos calls this virus the Bofra worm. Their web page explains how the Mydoom (aka Bofra worm) spreads and infects computers.

W32/Bagle.bd@MM
(aka W32.Beagle.AW@mm)
October 29, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4403
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_129511.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.4.3, 10/29/2004)

Oct. 29, 2004 11:50 a.m. HST - McAfee released DAT 4403 early to detect new variant W32/Bagle.bd@MM due to increased prevalence. DAT 4403 will also detect W32/Bagle.bb@MM.

W32/Bagle.bd@MM is similar to W32/Bagle.bb@MM and has the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
the attachment (filename Price, price or joke) has a EXE, SCR, COM or CPL extension
contains a remote access component (listens on TCP port 81)
copies itself to folders that have the phrase SHAR in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
tries to terminate anti-virus and security processes, as well as other viruses, such as Netsky
deletes registry entries of security programs and other worms

The worm arrives via email with the following characteristics:

FROM: (spoofed; uses email address harvested from local computer)

SUBJECT: (one of the following)

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

BODY: (one of the following)

ATTACHMENT: (one of the following with EXE, SCR, COM or CPL extension)

Price
price
Joke

The following paragraph applies to W32/Bagle.bd@MM only:
If the worm is received as a CPL file and executed, it drops and executes the worm. The CPL dropper copies itself as CJECTOR.EXE within the default Windows directory. For example,

C:\WINNT\CJECTOR.EXE
-----W32/Bagle.bd@MM-------

The virus copies itself into the default Windows System directory as WINGO.EXE. For example, C:\WINDOWS\SYSTEM32\wingo.exe.

It also makes multiple copies of itself in the default Windows System directory:

C:\WINNT\SYSTEM32\wingo.exeopen
C:\WINNT\SYSTEM32\wingo.exeopenopen
etc.

The system is hooked to run the virus on startup by the following Registry key entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "wingo" = "C:\WINDOWS\SYSTEM32\wingo.exe"

The registry key below is added to store data within a "TimeKey" key:

HKEY_CURRENT_USER\Software\Params

It creates a mutex to stop variants of virus W32/Netsky running on the infected computer.

These files are created in folders that contain the phrase SHAR (these folders are used with peer to peer applications such as KaZaa, Bearshare, Limewire, etc.):

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The worm terminates processes of the following security products if there are running on the victim machine:

mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe

The worm contacts a long list of websites (see http://vil.nai.com/vil/content/v_129511.htm for the complete list) to retrieve a file named G.JPG. At the time of the posting, the file was not available on any of the web sites.

W32/Bagle.bb@MM
(aka W32.Beagle.AV@mm)
October 29, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4402
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_129509.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.4.3, 10/29/2004)

Oct. 29, 2004 - McAfee released DAT 4402 early to detect new variant W32/Bagle.bb@MM due to increased prevalence.

W32/Bagle.bb@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages
harvests email addresses from the victim machine
the From: address of messages is spoofed
the attachment (filename Price, price or joke) has a EXE, SCR, COM or CPL extension
contains a remote access component (listens on TCP port 81)
copies itself to folders that have the phrase SHAR in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)
tries to terminate anti-virus and security processes, as well as other viruses, such as Netsky
deletes registry entries of security programs and other worms

The worm arrives via email with the following characteristics:

FROM: (spoofed; uses email address harvested from local computer)

SUBJECT: (one of the following)

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

BODY: (one of the following)

ATTACHMENT: (one of the following with EXE, SCR, COM or CPL extension)

Price
price
Joke

The virus copies itself into the default Windows System directory as WINGO.EXE. For example, C:\WINDOWS\SYSTEM32\wingo.exe.

It also makes multiple copies of itself in the default Windows System directory:

C:\WINNT\SYSTEM32\wingo.exeopen
C:\WINNT\SYSTEM32\wingo.exeopenopen
etc.

The system is hooked to run the virus on startup by the following Registry key entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run "wingo" = "C:\WINDOWS\SYSTEM32\wingo.exe"

The registry key below is added to store data within a "TimeKey" key:

HKEY_CURRENT_USER\Software\Params

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The worm terminates processes of the following security products if there are running on the victim machine:

mcagent.exe
mcvsshld.exe
mcshield.exe
mcvsescn.exe
mcvsrte.exe
DefWatch.exe
Rtvscan.exe
ccEvtMgr.exe
NISUM.EXE
ccPxySvc.exe
navapsvc.exe
NPROTECT.EXE
nopdb.exe
ccApp.exe
Avsynmgr.exe
VsStat.exe
Vshwin32.exe
alogserv.exe
RuLaunch.exe
Avconsol.exe
PavFires.exe
FIREWALL.EXE
ATUPDATER.EXE
LUALL.EXE
DRWEBUPW.EXE
AUTODOWN.EXE
NUPGRADE.EXE
OUTPOST.EXE
ICSSUPPNT.EXE
ICSUPP95.EXE
ESCANH95.EXE
AVXQUAR.EXE
ESCANHNT.EXE
ATUPDATER.EXE
AUPDATE.EXE
AUTOTRACE.EXE
AUTOUPDATE.EXE
AVXQUAR.EXE
AVWUPD32.EXE
AVPUPD.EXE
CFIAUDIT.EXE
UPDATE.EXE
NUPGRADE.EXE
MCUPDATE.EXE
pavsrv50.exe
AVENGINE.EXE
APVXDWIN.EXE
pavProxy.exe
navapw32.exe
navapsvc.exe
ccProxy.exe
navapsvc.exe
NPROTECT.EXE
SAVScan.exe
SNDSrvc.exe
symlcsvc.exe
LUCOMS~1.EXE
blackd.exe
bawindo.exe
FrameworkService.exe
VsTskMgr.exe
SHSTAT.EXE
UpdaterUI.exe

The worm contacts a long list of websites (see http://vil.nai.com/vil/content/v_129509.htm for the complete list) to retrieve a file named G.JPG. At the time of the posting, the file was not available on any of the web sites.

W32/Netsky.ag@MM
October 14, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4399
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_128905.htm

McAfee has released DAT 4399 early due to the increase in prevalence of a new variant W32/Netsky.ag@MM mass mailing worm. The UH repositories have been updated. Please update your McAfee VirusScan DAT to 4399 as soon as possible using the manual "Update Now" method.

Virus Description
-----------------
W32/Netsky.az@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

the From: address of messages is spoofed

copies itself to local folders containing the string share or sharing, network shares and P2P shared folders.

When run, the worm displays a message box "File corrupted replace this!"

The virus copies itself into the default Windows System directory as MsnMsgrs.EXE. For example, C:\WINDOWS\SYSTEM32\MsnMsgrs.exe

The system is hooked to run the virus on startup by the following Registry key entry:

HKEY_LOCAL_MACHINE\Software\Microsoft\ Windows\CurrentVersion\Run "MsnMsgr" = %WinDir%\MsnMsgrs.exe -alev

It copies itself to Windows directory as the following files:

Agradou.zip

agua!.zip

AIDS!.zip

aqui.zip

banco!.zip

bingos!.zip

botao.zip

brasil!.zip

carros!.zip

circular.zip

contas!!.zip

criancas!.zip

diga.zip

dinheiro!!.zip

docs.zip

email.zip

festa!!.zip

flipe.zip

grana!!.zip

grana.zip

imposto.zip

impressao!!.zip

jogo!.zip

lantrocidade.zip

LINUSTOR.zip

loterias.zip

lulao!.zip

massas!.zip

missao.zip

MsnMsgrs.exe

revista.zip

robos!.zip

sampa!!.zip

sorteado!!.zip

tetas.zip

vaca.zip

vadias!.zip

vips!.zip

Voce.zip

war3!.zip

Zerado.zip

The Subject: field may contain one of the following subjects

0123456789

Abra rapido isso!!!!

acrdito que em voce!!!

algo a mais

AmaVoce

amor me liga

AninhaPutinha +55operado6992292246

arquivo zipado PGP???

Boleto Pague

campanhadafome

encontro voce!

estou doente veja!!!

falea verdade!!!

ferias nos E.U.A

ganhe muita grana

gostaria disso e voce???

grana

Hackers do Brasil

Lembra?

me diz o queacha?

me veja peladinha

Medical Labs Exames!!!

meu telefone liga

olha que isso!!!

parabens!

PizzaVeneza!

Policia SP

pq nao me liga??

preenche ai ta bom

promocao de viajens de fim de ano

Proposta de emprego!!

receitas de bolo!!

retorna logo isso!!

reza de sao tome!!!!.

sinto voce!!

sua conta bancaria zerada

Sua Conta!!

Surto :(

te amo!

tudo sobre voce sabe

Vacina contra o HIV!!

ve ai logo ta

veja detalhes!!!.

veja o que tem no zip e me liga

voce passou :D!!!

The Attachment: field may contain one of the following

agradou

agua!

AIDS!

banco!

bingos!

botao

brasil!

carros!

circular

contas!!

criancas!

dinheiro!!

festa!!

flipe

grana

grana!!

imposto

impressao!!

jogo!

lantrocidade

LINUSTOR

loterias

lulao!

massas!

missao

morto

pescaria por kilo

revista

robos!

sampa!!

sorteado!!

Sua saude esta bem?

tetas

vadias!

vips!

war3!

zerado

The body: field may contain one of the following:

PizzaVeneza!

preenche ai ta bom

encontro voce!

veja detalhes!!!.

reza de sao tome!!!!.

Abra rapido isso!!!!

AmaVoce

AMA!

ve ai logo ta

voce passou :D!!!

arquivo zipado PGP???

retorna logo isso!!

me diz o queacha?

estou doente veja!!!

Proposta de emprego!!

tudo sobre voce sabe

promocao de viajens de fim de ano

acrdito que em voce!!!

receitas de bolo!!

veja o que tem no zip e me liga

Boleto Pague

Sua Conta!!

Policia SP

te amo!

parabens!

olha que isso!!!

sua conta bancaria zerada

Vacina contra o HIV!!

Surto :(

ferias nos E.U.A

meu telefone liga

Medical Labs Exames!!!

Hackers do Brasil

amor me liga

Lembra?

grana

sinto voce!!

pq nao me liga??

vaca

campanhadafome

ganhe muita grana

falea verdade!!!

algo a mais

gostaria disso e voce???

me veja peladinha

FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

If you need more assistance, please contact the ITS Help Desk at 808-956-8883, 800-558-2669 (toll free from neighbor islands), or email help@hawaii.edu.

W32/Bagle.az@MM
(aka W32.Beagle.AR@mm)
September 28, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4395
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_128582.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.4.0, 9/28/2004)

September 28, 2004 3:15 pm HST

McAfee has released DAT 4395 early to detect a new variant W32/Bagle.az@MM (aka W32.Beagle.AR@mm) mass mailing worm. The UH repositories have been updated. Please update your McAfee VirusScan DAT to 4395 as soon as possible using the manual "Update Now" method.

JPEG (GDI+) Critical Windows Vulnerability (MS04-028)

This is worth repeating... especially since W32/Bagle.az worm downloads a .JPG file.

On Sept. 14, Microsoft announced the JPEG (GDI+) vulnerability in security bulletin MS04-028 affecting Windows operating systems, as well as applications, such as Microsoft Office, Visio, Visual Studio, .NET Framework, and others. Go to http://www.microsoft.com/technet/security/bulletin/ms04-028.mspx for details and patches. This is a CRITICAL update. A specially crafted JPEG can contain code for remote code execution. Code exploiting the JPEG vulnerability was posted to Usenet a few days ago.

Please patch your Windows system (go to http://windowsupdate.microsoft.com) and Microsoft Office (go to http://officeupdate.microsoft.com) as soon as possible.

SANS has released its own GDI scanner (since the Microsoft tool is not too helpful). It checks for vulnerable DLLs on your system (Windows 2000 and higher). Download from http://isc.sans.org/gdiscan.php.

Virus Description

W32/Bagle.az@MM has the following characteristics:

contains its own SMTP engine to construct outgoing messages

harvests email addresses from the victim machine

the From: address of messages is spoofed

the attachment (filename price or joke) has a EXE, SCR, COM or CPL extension

contains a remote access component (listens on TCP port 81 and a random UDP port)

copies itself to folders that have the phrase SHAR in the name (such as common peer-to-peer applications; KaZaa, Bearshare, Limewire, etc)

tries to disable anti-virus and security processes, as well as other viruses, such as Netsky

The worm arrives via email with the following characteristics:

FROM: (spoofed; uses email address harvested from local computer)

SUBJECT: (one of the following)

Re:
Re: Hello
Re: Thank you!
Re: Thanks :)
Re: Hi

BODY: (one of the following)

ATTACHMENT: (one of the following with EXE, SCR, COM or CPL extension)

Price
price
Joke

The virus copies itself into the default Windows System directory as BAWINDO.EXE. For example, C:\WINDOWS\SYSTEM32\bawindo.exe.

It also creates other files in the default Windows System directory:

C:\WINDOWS\SYSTEM32\bawindo.exeopen
C:\WINDOWS\SYSTEM32\bawindo.exeopenopen

The system is hooked to run the virus on startup by the following Registry key entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run "bawindo" = "C:\WINDOWS\SYSTEM32\bawindo.exe"

It creates a mutex to stop variants of virus W32/Netsky running on the infected computer.

These files are created in folders that contain the phrase SHAR (these folders are used with peer to peer applications such as KaZaa, Bearshare, Limewire, etc.):

Microsoft Office 2003 Crack, Working!.exe
Microsoft Windows XP, WinXP Crack, working Keygen.exe
Microsoft Office XP working Crack, Keygen.exe
Porno, sex, oral, anal cool, awesome!!.exe
Porno Screensaver.scr
Serials.txt.exe
KAV 5.0
Kaspersky Antivirus 5.0
Porno pics arhive, xxx.exe
Windows Sourcecode update.doc.exe
Ahead Nero 7.exe
Windown Longhorn Beta Leak.exe
Opera 8 New!.exe
XXX hardcore images.exe
WinAmp 6 New!.exe
WinAmp 5 Pro Keygen Crack Update.exe
Adobe Photoshop 9 full.exe
Matrix 3 Revolution English Subtitles.exe
ACDSee 9.exe

The worm removes registry keys for other worms and security products:

"My AV"

"Zone Labs Client Ex"

"9XHtProtect"

"Antivirus"

"Special Firewall Service"

"service"

"Tiny AV"

"ICQNet"

"HtProtect"

"NetDy"

"Jammer2nd"

"FirewallSvr"

"MsInfo"

"SysMonXP"

"EasyAV"

"PandaAVEngine"

"Norton Antivirus AV"

"KasperskyAVEng"

"SkynetsRevenge"

"ICQ Net" that are listed in these registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run

The worm contacts a long list of websites to retrieve a file named WS.JPG. At the time of the posting, the file was not available on any of the web sites. See http://vil.nai.com/vil/content/v_128582.htm for the complete list of web sites.

FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

W32/Mydoom.s@MM
(aka W32.Mydoom.Q@mm)
August 16, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4386
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_127616.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.9, 8/16/2004)

August 16, 2004 2:30 pm HST

A new variant of MyDoom has been released... W32/MyDoom.s@MM has been raised to MEDIUM risk by McAfee due to increased prevalence. This email virus spreads with a spoofed (forged, pretending to be someone else) FROM address and attachment photos_arc.exe. The virus harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages. The harvested addresses are sent the virus. The virus downloads a backdoor trojan, BackDoor-CHR, from 2 websites.

As a pre-caution, please DELETE suspicious email with attachments, even from people you know. Do not even try to open the attachment. If you try to open the attachment (and it doesn't successfully open), your Windows computer will get infected.

W32/Mydoom.s@MM arrives in email with the following characteristics:

FROM: (spoofed, forged)

may use email address harvested from infected computer or use a list of common names with domain t-online.de, mail.com, yahoo.com, hotmail.com or the domain used for your Internet account

SUBJECT: photos
BODY: LOL!;))))
ATTACHMENT: photos_arc.exe

When the attachment is run, the virus copies itself to the default WINDOWS (C:\Windows or C:\Winnt) directory as rasor38a.dll, and to the default Windows SYSTEM (C:\Windows\System, C:\Winnt\System32, or C:\Windows\System32) directory as winpsd.exe.

The virus creates the following registry key values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Explorer\ComDlg32

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ Run "winpsd" = C:\WINDOWS\System32\winpsd.exe

The virus downloads a backdoor component from two different websites:

www.richcolour.com
zenandjuice.com

FOR WINDOWS ME/XP USERS: temporarily disable System Restore before running a full system scan (scan all files, compressed files). See http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm for instructions to disable System Restore.

If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

BackDoor-CHR
(aka Backdoor.Nemog)
August 16, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4386
Minimum VirusScan scan engine: 4.3.20
For more information: http://vil.nai.com/vil/content/v_127617.htm

August 16, 2004 2:30 pm HST

W32/Mydoom.s@MM downloads the remote access trojan, BackDoor-CHR, which has the following characteristics:

stealths (hides) its activity on the victim machine

serves as a HTTP proxy

serves as an SMTP relay

attempts to connect to numerous remote IRC servers (for remote reporting/command)

appends the local hosts file (in an attempt to disable updating of many AV products)

The trojan attempts to connect to a remote IRC server to await commands. It carries a list of IP addresses and relevant ports (4661, 4242, 8080, and 3306) for many IRC servers (see virus description for list of servers and ports).

When executed, the trojan copies itself to the startup folder on the victim machine, as DX32HHLP.EXE. For example:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DX32HHLP.EXE

The trojan also drops a 4,096 byte kernel mode driver used for stealthing:

%SYSTEMROOT%\SYSTEM32\DX32HHEC.SYS

This component is installed as a service on the victim machine. The service information is stored within the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\dx32hhec

The service bears the following characteristics:

Display name: dx32hhec
Image Path: %SYSTEMROOT%\SYSTEM32\dx32hhec.sys
Startup: Automatic

Note: Once this stealthing driver is running on the victim machine, this threat is not detected by conventional AV scanning methods. You must boot into Safe Mode to detect and remove this trojan.

The trojan appends the local hosts file on the victim machine, redirecting requests for many antivirus and security vendor web sites and update sites to the local host, i.e. the infected computer. Such modified hosts files are detected (and repaired) as QHosts.apd with the 4352 DATs or greater.

Two ports (exact port numbers used vary) are opened by the trojan. For example, TCP 33167 and 33170 were opened in testing.

If you need assistance, please contact the ITS Help Desk at 808-956-8883 (800-558-2669 toll free from neighbor islands) or email help@hawaii.edu.

W32/Bagle.aq@MM
(aka W32.Beagle.ao@mm)
August 9, 2004

Platform: Windows 9x/ME, Windows NT/2000/XP, Windows Server 2003
Risk Assessment: Medium
Minimum VirusScan DAT: 4384
Minimum VirusScan scan engine: 4.3.40
For more information: http://vil.nai.com/vil/content/v_127423.htm
Stinger Removal Tool: http://vil.nai.com/vil/stinger/ (v2.3.8, 8/9/2004)

August 9, 2004 11:30 am HST

McAfee released VirusScan DAT 4384 to detect W32/Bagle.aq@MM. DAT 4384 has been posted to the UH repositories. Please update your VirusScan DAT as soon as possible using the manual " Update Now" method.

W32/Bagle.aq@MM spreads via email with a spoofed FROM address and a .ZIP attachment (which contains an EXE and HTML file). The EXE file (same name as the ZIP file) is contained within a folder in the ZIP file so when it is viewed with Explorer (instead of a stand-alone ZIP utility such as WinZip or PKzip) only the HTML file and a folder is visible.

The HTML file contains exploit code which will automatically run the EXE file, which is a downloader trojan, on vulnerable Windows systems. The downloader trojan contacts a large number of websites to retrieve the virus itself.

The worm harvests email addresses from files on the infected computer and has its own SMTP engine to construct outgoing messages.

Warning: since the Bagle source code was released on the Internet in early July 2004, please expect more Bagle variants to be released. As a pre-caution, please DELETE suspicious email with attachments, even from people you know. The current viruses spoof or forge the FROM address, pretending to be sent from someone else. If you try to open the attachment (even if it doesn't successfully open), your Windows computer will get infected.

W32/Bagle.aq@MM arrives in email with the following characteristics:

FROM: (spoofed or forged address)

SUBJECT: (blank)

BODY:

new price

ATTACHMENT (one of the following):